Senior Cyber Governance, Risk & Compliance (GRC) Analyst

About The Position

Requirements

• 7+ years of progressive experience in Information Security, Third‑Party Risk Management, Vendor Risk Management, GRC, or Operational Risk.
• Demonstrated experience owning, building, or leading a Third‑Party / Vendor Risk Management program.
• Bachelor's degree in information security, Computer Science, Business Administration, or a related field or equivalent practical experience.
• Strong experience conducting security risk assessments, assurance reviews, audits, and remediation management.
• Deep technical understanding of cloud, SaaS, infrastructure, and AI vendor risk.
• Hands on experience reviewing SOC 2, ISO 27001, penetration test reports, CAIQ, SIG, and similar security documentation.
• Strong written and verbal communication skills, with the ability to translate technical risk into a clear business context for diverse audiences, including senior leadership.
• Proven ability to work autonomously, manage competing priorities, and drive outcomes in a fast paced environment.

Responsibilities

• Design, implement, operate, and continuously mature the Third‑Party Risk Management program, evolving it from a reactive, compliance driven function into a proactive, risk-based capability.
• Execute and oversee the full third-party risk lifecycle, including onboarding, inherent and residual risk assessments, due diligence, periodic reviews, contract risk review, issue management, remediation tracking, and ongoing monitoring.
• Perform deep technical security and risk assessments of third parties, including cloud services, SaaS platforms, infrastructure providers, and technology vendors.
• Review and interpret security assurance artifacts such as SOC 2 Type II reports, penetration test reports, CAIQ, SIG, ISO certifications, and other compliance attestations.
• Evaluate complex vendor solutions, including API integrations with critical internal systems, cloud native architectures (AWS, Azure, GCP), and AI/ML platforms.
• Assess and manages emerging third-party risks, including artificial intelligence risks such as data provenance, model integrity, data leakage, and secure handling of proprietary or regulated data.
• Lead end-to-end issue and remediation management, ensuring accountability, effectiveness, and timely closure of identified control gaps.
• Develop and maintain TPRM standards, playbooks, governance models, escalation paths, and operating procedures aligned with regulatory expectations and business needs.
• Build and deliver meaningful reporting, dashboards, and metrics that provide leadership with clear visibility into third-party risk posture, trends, and decision points.
• Support privacy operations, including Data Subject Requests (DSRs), Data Protection Impact Assessments (DPIAs), and data mapping initiatives.
• Partner with Privacy and Legal stakeholders to assess vendor and internal data processing risks and ensure appropriate safeguards are in place.
• Contribute to privacy related risk assessments, controls validation, and remediation tracking as needed.
• Support cyber GRC activities, including tracking information security risks, risk exceptions, and remediation plans.
• Assist with the implementation and ongoing operation of security and risk management frameworks (e.g., NIST, ISO, SOC 2).
• Contribute to audit and assurance activities by providing risk assessments, evidence, and clear articulation of control posture.
• Provide support to information security operations as needed, including incident response activities, impact analysis, and post incident follow‑up.
• Contribute to security awareness and training initiatives, helping translate risk themes into actionable guidance for the business.
• Assist with cross functional security initiatives during periods of increased demand or emerging risk.
• Serve as a trusted risk advisor to vendor relationship owners and senior stakeholders, reducing their operational burden while preserving clear risk ownership and accountability.
• Partner closely with Legal, Compliance, Procurement, Technology, and Security teams to synthesize requirements and deliver practical, risk‑appropriate solutions.
• Review vendor contracts and summarize risk‑relevant provisions, control obligations, and gaps, partnering with Legal to support risk‑informed contract decisions.
• Escalate material risks, delays, or control gaps thoughtfully and early, framing issues in clear business terms and presenting well‑defined options for decision‑making.

Benefits

• Health Insurance
• Savings and Retirement Plan
• Employee Assistance Program
• Generous Vuori Discount & Industry Perks
• Paid Time Off
• Wellness & Fitness benefits